WordPress Plugin Vulnerabilities

WP Customer Area < 8.2.5 - Event Log Deletion via CSRF

Description

The plugin does not have CSRF check in place when deleting its logs, which could allow attackers to make a logged in to delete them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
customer-area
Fixed in 8.2.5

References

CVE
CVE-2024-12280
URL
https://research.cleantalk.org/CVE-2024-12280/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Krugov Artyom
Submitter
Krugov Aryom
Submitter website
https://research.cleantalk.org
Verified
Yes
WPVDB ID
2b32c0b8-28bb-4220-800b-4c369bca91c5

Timeline

Publicly Published
2025-01-06 (about 11 months ago)
Added
2025-01-06 (about 11 months ago)
Last Updated
2025-01-16 (about 11 months ago)

Other

Published
Title
Published
2025-01-16
Title
Floatbox Plus <= 1.4.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-11-11
Title
Seriously Simple Podcasting < 3.14.0 - Cross-Site Request Forgery
Published
2024-05-31
Title
Widget Bundle <= 2.0.0 - Widget Disable/Enable via CSRF
Published
2023-11-16
Title
Arigato Autoresponder and Newsletter < 2.7.2.3 - CSRF
Published
2022-06-20
Title
WP Maintenance Mode & Coming Soon < 2.4.5 - Subscribed Users Deletion via CSRF